MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2a0a85c3ad93e14292ed2472855d157317f48abcde859c81d51dd42816be065. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phorpiex


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2a0a85c3ad93e14292ed2472855d157317f48abcde859c81d51dd42816be065
SHA3-384 hash: 5be4d9bb054a9c635b43bbfc30578fa43fafb3a2de3e2f659341fb939ad871a8e8a70efe919706b10943ebffa4a70d8d
SHA1 hash: 712d8cd858e466edfd52008b65b405c57f3f0ab9
MD5 hash: e879df3fc1421ae6fddb927b080a8544
humanhash: magazine-jersey-bluebird-romeo
File name:SecuriteInfo.com.Trojan.Siggen10.14421.24699.12427
Download: download sample
Signature Phorpiex
Create hunting rule
File size:77'312 bytes
First seen:2020-10-25 22:55:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 83ed03288aab5785fc4b7fc141b87ad3 (1 x Phorpiex)
ssdeep 768:2lpxyBtvUz6LI8Zj/rmUaLu3rmvBJ/izzFdLXf+lI7IMYum7WGa223hbykohrzhP:UvyjvUz6rmUay3rmszF1yP
TLSH E573E7667111EA91E5604C76B93BE69E8B5D3CB5CF01029BF6E0FF7F3470821DA12921
Reporter SecuriteInfoCom
Tags:Phorpiex

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.14421.24699.12427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Searching for the window
Searching for many windows
DNS request
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Sending an HTTP GET request
Deleting a recently created file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Threat name:
Phorpiex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/510827
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to determine the online IP of the system
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Yara detected Phorpiex
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 304554 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 47 api.wipmania.com 2->47 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected Phorpiex 2->79 81 6 other signatures 2->81 9 SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe 2 14 2->9         started        14 svchost.exe 1 1 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 71 worm.ws 217.8.117.10, 49712, 49730, 49731 CREXFEXPEX-RUSSIARU Russian Federation 9->71 45 C:\229183030814353\svchost.exe, PE32 9->45 dropped 103 Drops PE files with benign system names 9->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->105 20 svchost.exe 4 25 9->20         started        73 127.0.0.1 unknown unknown 14->73 file6 signatures7 process8 dnsIp9 51 faugzeazdezgzgfr.ws 64.70.19.203, 49760, 49761, 49762 CENTURYLINK-LEGACY-SAVVISUS United States 20->51 53 worm.ws 20->53 55 5 other IPs or domains 20->55 89 Antivirus detection for dropped file 20->89 91 System process connects to network (likely due to code injection or exploit) 20->91 93 Multi AV Scanner detection for dropped file 20->93 95 3 other signatures 20->95 24 3514415323.exe 15 20->24         started        29 2093619172.exe 16 20->29         started        31 1964835257.exe 16 20->31         started        33 1117434247.exe 15 20->33         started        signatures10 process11 dnsIp12 57 api.wipmania.com 212.83.168.196, 49752, 49793, 49795 OnlineSASFR France 24->57 39 C:\3575284729107\svchost.exe, PE32 24->39 dropped 97 Drops PE files with benign system names 24->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->99 35 svchost.exe 12 24->35         started        59 mta5.am0.yahoodns.net 67.195.204.79, 25, 49758 YAHOO-3US United States 29->59 61 icanhazip.com 147.75.47.199, 49759, 49773, 80 PACKETUS Switzerland 29->61 65 2 other IPs or domains 29->65 101 Contains functionality to determine the online IP of the system 29->101 63 mta7.am0.yahoodns.net 98.136.96.76, 25, 49771 YAHOO-NE1US United States 31->63 67 2 other IPs or domains 31->67 69 2 other IPs or domains 33->69 41 C:\Users\user\AppData\Local\Temp\10198.exe, PE32 33->41 dropped 43 C:\Users\user\AppData\...\winsysdrv[1].exe, PE32 33->43 dropped file13 signatures14 process15 dnsIp16 49 api.wipmania.com 35->49 83 Antivirus detection for dropped file 35->83 85 Multi AV Scanner detection for dropped file 35->85 87 Machine Learning detection for dropped file 35->87 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2a0a85c3ad93e14292ed2472855d157317f48abcde859c81d51dd42816be065/
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 23:46:35 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kqkqxb23e7bikjo2jdsqvork4yx6sflzxuftsa5khoufall4bsq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence
Link:
https://tria.ge/reports/201025-l7ryttgr4a/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Executes dropped EXE
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Phorpiex
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e2a0a85c3ad93e14292ed2472855d157317f48abcde859c81d51dd42816be065

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Phorpiex

Executable exe e2a0a85c3ad93e14292ed2472855d157317f48abcde859c81d51dd42816be065

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/455792/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/23071/
  
URLhaus
https://urlhaus.abuse.ch/url/399892/
  
URLhaus
https://urlhaus.abuse.ch/url/432782/
  
URLhaus
https://urlhaus.abuse.ch/url/432795/
  
URLhaus
https://urlhaus.abuse.ch/url/336680/
  
URLhaus
https://urlhaus.abuse.ch/url/347735/
  
URLhaus
https://urlhaus.abuse.ch/url/399897/
  
URLhaus
https://urlhaus.abuse.ch/url/373420/
  
URLhaus
https://urlhaus.abuse.ch/url/373658/
  
URLhaus
https://urlhaus.abuse.ch/url/373422/
  
URLhaus
https://urlhaus.abuse.ch/url/621240/
  
URLhaus
https://urlhaus.abuse.ch/url/621282/
  
URLhaus
https://urlhaus.abuse.ch/url/621501/
  
URLhaus
https://urlhaus.abuse.ch/url/623138/
  
URLhaus
https://urlhaus.abuse.ch/url/623153/
  
URLhaus
https://urlhaus.abuse.ch/url/748779/

Comments